Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. With their growing popularity, concerns about security vulnerabilities are increasing. To address this, first, we provide a formal model, called CloudLens, that expresses relations between different cloud objects such as users, datastores, security roles, representing access control policies in cloud systems. Second, as access control misconfigurations are often the primary driver for cloud attacks, we develop a planning model for detecting security vulnerabilities. Such vulnerabilities can lead to widespread attacks such as ransomware, sensitive data exfiltration among others. A planner generates attacks to identify such vulnerabilities in the cloud. Finally, we test our approach on 14 real Amazon AWS cloud configurations of different commercial organizations. Our system can identify a broad range of security vulnerabilities, which state-of-the-art industry tools cannot detect.

翻译：云计算服务为数据存储、处理与协作提供了可扩展且经济高效的解决方案。随着其日益普及，对安全漏洞的担忧也在不断加剧。为此，我们首先提出了一种名为CloudLens的形式化模型，该模型能够表达用户、数据存储、安全角色等不同云对象之间的关系，用以表征云系统中的访问控制策略。其次，鉴于访问控制配置错误通常是云攻击的主要诱因，我们开发了一种用于检测安全漏洞的规划模型。此类漏洞可能导致勒索软件、敏感数据窃取等大规模攻击。规划器通过生成攻击来识别云环境中的此类漏洞。最后，我们在14个不同商业机构的真实亚马逊AWS云配置上测试了我们的方法。我们的系统能够识别广泛的安全漏洞，而当前最先进的行业工具无法检测到这些漏洞。